1
Looking Towards the Future with Teachings from the Past
Cybersecurity Forum Opening Keynote, February 11, 2019
Ron Mehring, CISSP
VP Technology & Security, CISO, Texas Health Resources
Axel Wirth, CPHIMS, CISSP, HCISPP
Distinguished Technical Architect, Symantec Corporation
2
Ron Mehring, CISSP has no real or apparent conflicts of interest to
report.
Axel Wirth, CPHIMS, CISSP, HCISPP is employed by Symantec, a
cybersecurity vendor, but has no real or apparent conflicts of
interest to report.
Conflict of Interest
3
Identify how cyber-attacks were actually executed and
understand cyber-attack trends
Explain how effective response to cyber-attacks can mitigate
the impact and damage
Discuss what we may expect in the coming year regarding
cyber-attacks in the healthcare space
State lessons learned from the past to assist with the present
and what is anticipated in the future
Learning Objectives
4
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
5
Cybersecurity Historic Timeline
Ancient History (1940 1980s)
Middle Ages (1980s – 2000’s)
Modern Age (2000’s – today)
Theory of self-replicating
code (J von Neumann)
1949
“Creeper” concept demo
(ARPANET, PDP-10)
1970
First fully-functional virus
(V Risak, TU Vienna, Siemens)
1972
“A Disease of Machinery”
(Westworld, MGM)
1973
Analogy to biological virus
(J Kraus, U of Dortmund)
1980
“Core Wars” game
(Bell Labs)
1950s
“Computer virus” general
definition (F. Cohen, UC)
1984
“Brain” tracking copyright
violations (MS-DOS)
1986
“SCA” leads to first virus
checker (Amiga, est. 40%)
1987
“AIDS” first ransomware
(MS-DOS)
1989
“Concept” first macro
virus (MS Word)
1995
“Elk Cloner” released
(15 yo, Apple II)
1982
“Melissa” 1
st
social eng.;
20% of world’s computers
1999
“Stuxnet” sabotage of
Iranian nuclear program
2010
Multiple highly sophisticated
viruses (e.g. Duqu, Flame)
CryptoLocker” ransomware
Darlloz” IoT virus
2013
Mirai” highly disruptive
IoT DDoS, up to 1TBit/s
2016
Conficker” infects
est. 15M computers
2008
“WannaCry” & “Petya”
cause $B+ losses
2017
“ILOVEYOU” million+
infections in hours
2000
“SQL Slammer”
fastest worm
2002
Reports of Cyberwarfare
(Syria, Ukraine, Georgia)
2007/08
2011/12
6
Conficker (W32.Downadup) computer worm:
5 variants produced (Nov. 2008 April 2009) Win2k, XP, Server 2003 & 2008, Vista
Multiple purposes: open backdoors, spam bot, keylogger, download other malware, …
Multiple propagation methods: Internet, LAN, shared folders, mapped drives, peer-to-peer
networking, portable media (USB)
Estimated to have infected up to 15 million computers (compare: WannaCry: 350,000)
Advanced capabilities and highly resilient:
Hides and replicates before becoming active
Scans network for machines with the same vulnerability
Has the capability to protect itself (e.g. disable AV and Windows updates)
Still prevalent but limited impact:
No active C&C servers
Fewer infections as target OS’s are declining,
may have run its course by 2020
Latent infections residing on legacy systems,
e.g., leading malware in healthcare (June 2016)
Other noteworthy facts:
$250,000 bounty still available!
The end goal of Conficker has never become clear
Other long-living malware: Sality (2003), MyDoom (2004), Zeus (2011), Mirai (2016)
Conficker Happy 10
th
Birthday
7
Mealybug Cyber Crime Actor:
Active since at least 2014
Initially targeting banking industry in Europe
Custom malware Trojan.Emotet (network worm)
Brute force attack via password list
Started shifting focus in 2017
Providing delivery services for other threat actors
with Trojan.Emotet functioning as a “loader”
Europe U.S. (Canada, Mexico, China)
Key modules per direction of C&C server:
Banking module steals banking details from network traffic
Email client infostealer email credentials
Browser infostealer browsing history and passwords
PST infostealer email addresses
DDoS module carry out DDoS attacks
Mealybugs, as a evolving threat actor, has been refining their techniques:
Shifted from few regional banking attacks to a global distributor for other groups
Maximizing returns based on core competency and tools available
Emotet Rolling with Opportunities
Source: Symantec ISTR
8
High Impact Malware
Care Delivery, Supply Chain, Privacy
EternalBlue exploit (NSA leak)
WannaCry (May 2017):
faulty Ransomware, ~$4-$8B global impact
Petya (June 2017):
cloaked Ransomware (Wiper), ~$10B impact
WannaCry - care delivery impact:
81 of 236 hospital trusts; 595 of 7545 GP’s
1000+ systems, 19,000 appts., ~£92M loss
Root Cause: Underinvestment, patching
Leading to £21M security investment
WannaCry still active!
Petya healthcare supply chain
Global pharma company - ~$310M loss,
global drug and vaccine availability
Transcription service provider - ~$68M loss,
impacted hosted transcription service
WannaCry, Petya
Largest national HC provider, SE Asia
July 2018 attack
1.5M records, incl. Prime Minister
Post mortem report:
Breach identified, but no action taken
Missing Risk Assessment
Lack of training, awareness, and concern
Lack of vulnerability scans and pen testing
Missing patch, poor password policies
16 recommendations (7 critical):
Enhance security structure
Review and assess cyber security stack
Improved staff awareness - prevent, detect,
and respond to security incidents
Enhanced security checks
Tighten privileged admin account controls
Improve incident response processes
Private/public partnerships around security
Trojan.Nibatad
9
Summary Threat Landscape Trends
Cybercrime continues to follow money and opportunity
Top 10 Malwares 12/2018
Emotet
Kovter
ZeuS
NanoCore
Cerber
Gh0st
CoinMiner
Trickbot
WannaCry
Xtrat
Source: CIS
Worms are back:
Hitting networks today, expect next generation IoT worms
Targeted attacks are hitting diverse targets:
Profiling, targeting, and execution continue to improve
E.g. Orangeworm group - healthcare
Email malware rates are increasing again:
Dropped 50% in 2017, back up in 1H 2018
BEC scams continue to be profitable:
Business Email Compromise: $12B loss in 6 years
Ransomware numbers are stable:
Crowded market, some have moved on
Cryptojacking remains popular
But rises and falls with Cryptocurrency value
IoT devices are the soft target:
Patching, default credentials, forgotten
159% increase of attacks (7/17-7/18)
10
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
11
Effective Response
Preparation is the key to
managing the incident response
cycle and reducing impact.
1. Preparation
Getting Organized
Response activities must
account for multiple conditions
and complexity of organization.
2. Execution
Detection and
Response
Timely escalation to peering
response groups and
leaderships teams.
3. Communication
Escalation and
Peering
12
Effective Response: Preparation
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
Identity Inventory
Accurate inventory of identities
and entitlements across
technology and application
portfolio.
Tool Management
Inventory of analytics and
response tools.
Exercises
Incident exercise plan tailored to
unique environments and
playbooks.
Data Inventory
Inventory of sensitive data and
data flow.
Asset Inventory
Accurate inventory of
technology assets that includes
location, criticality and use.
Threat Catalog
Catalog of potential threats
with associated response
playbooks.
13
Effective Response: Execution
Effective incident
response plans
account for diverse
operating
environments and
stakeholder
protection,
detection and
response needs.
Reduction in time to
respond and
remediate
Playbooks
Response Plan Preparation Phase
Response
Preparation Analysis/Detection Containment
Eradication
Recovery
Post Incident Activity
Privacy
Cybersecurity
Patient Safety
01 02 03
Risk Based
Equilibrium
Regulated Data, Credit Card Data. Requirements
may conflict with patient safety needs.
1. Protect Data Confidentially
Control robustness must balance
reliability and security.
2. Protect the Enterprise
Medical devices and other critical care
device protection needs may conflict with
data confidentially requirements.
3. Protect the Patient
14
Effective Response: Playbooks
Example: Malware Attack Playbook
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
What type of
Attack?
What type of Asset,
Identity, Data Type?
Exposure?
Privacy
Patient
Safety
Physical
Security
Legal
HICS/System
Preparedness
Treasury
(PCI)
HTM
(Medical Devices)
Cascading Unique Playbooks
HR
Risk
Financing
Business Process
Owners
Facilities
JV/Business
Partners/Vendors
Cyber Incident Response Phases
Cyber/Technology
Teams
15
Effective Response: Communication
The need to communicate effectively before, during and after
incident should not be underestimated.
Preparation phase requirements and inputs should be well
understood by technology/data custodians and system owners.
Timing of stakeholder involvement is important.
Balancing incident sensitivity classification and transparency must
be addressed up front.
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
A robust communication plan that reflects the different cyber
incident stakeholder groups is critical to controlling incident impacts.
16
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
17
What to Expect for 2019
The Big Picture / Broader and Continuing Trends
A serious cyber event with socio-economic impact is increasingly likely
Continued evolution of cyber conflicts for strategic and economic benefits
Digitization (more data)
Digitalization (more digital infrastructure)
Technology adoption (IoT, cloud, 5G, AI/ML)
Supply Chain as attack vector
Data in Motion attacks
We will continue to see big names in the headlines
It will not just be about Confidentiality anymore
Consequently:
New and creative attack vectors:
Growing attack surface attackers roll with opportunities:
Political cyber-conflicts will be a growing risk:
18
Us vs. Them
What to Expect for 2019 AI & ML
Let’s not confuse the two – AI/ML refer to the capability of a machine to:
ML = learn without explicitly being programmed (= learning)
AI = imitate intelligent human behavior (= perception, decision, autonomy)
Attackers will exploit ML/AI systems and use them to aid their assaults:
Craft new attacks, uncover new vulnerabilities (zero days)
Circumvent our ML/AI defenses through model extraction or poisoning
Defenders will increasingly depend on ML/AI to counter attacks and identify
vulnerabilities:
Reliable and fast analysis of large, complex (and boring) data sets across
multiple internal and external security control points
Analyze information with no apparent logical or discernable pattern
Rapid identification of new exploits (threat intelligence)
Predictive protection (automate identification and response)
Augment human talent (or lack thereof)
19
What to Expect for 2019 AI & ML
Attackers
Corrupt AI-based business systems
Support intelligence and reconnaissance
(network probing, vulnerabilities)
Sophisticated and tailored social
engineering attacks
Realistic disinformation campaigns
AI-powered toolkits and services
The “Terminator Wars” of the future will likely occur in cyber space
and play out at scale, speed, and cost that humans cannot match
Defenders
Identify new threats and provide better
(faster) threat intelligence
Uncover & fix new vulnerabilities
Advanced attack simulations
Better detection and response capabilities
Protect digital security and privacy
(UBA, ID protection, content monitoring)
ML / AI Utilization and Benefits - Examples
20
Technology Adoption as Opportunity
5G - from 1 Gbps to 10 Gbps, a $26B market by 2022 (IDG)
5G will drive other technologies and make
them even more attractive:
Cloud any data anywhere
Mobile slow consumer adoption may limit
penetration, but 5G will enable
cheaper devices (less storage)
IoT new IoT devices will provide 5G “out of
the gate” and enable convenience and
new value-added services
IoT (and other) device traffic will bypass
home routers and enterprise networks
Crossover within a few years:
More 5G devices will connect directly to
public networks than via a Wi-Fi routers
Expanded attack surface area
Circumvent enterprise and home
security controls
Direct attack on devices
Leverage device as “bridgehead”
Capture or manipulate “data in
motion” or poorly protected cloud
accounts
Source: Symantec ISTR
Technology Trends and Impact:
Opportunity for Adversaries:
21
Technology Adoption as Opportunity
IoT (IoMT / Embedded Systems / Medical Devices)
Business: improve efficiency, reduce costs, benefit from more data points, etc.
Consumer: improve comfort, ease of use, quality of life
Enable new business and service delivery models through physical devices
Provide service where the consumer (patient) is
Technology Trends and Impact:
Source: Symantec ISTR
Exploit poorly secured IoT infrastructure
Bridge the virtual and physical worlds
attacks that can do damage:
Kinetic attacks (e.g. cars, pacemaker)
Critical Infrastructure: utilities, food supply, ports,
traffic control, finance, healthcare
IoT-based events will move beyond massive
DDoS assaults (e.g. Mirai):
Ransom, blackmail, stalking, botnets, etc.
Opportunity for Adversaries:
22
Data-in-Transit Attacks:
Gain access to routers and other network infrastructure:
Steal credentials, account, or other confidential information
Deliver compromised web page to capture confidential information
(a variation of “formjacking”)
Manipulate data between sender and recipient
Other Relevant Threat Trends
Supply Chain Attacks:
Deliver payload (malware) via trusted 3
rd
party software (e.g. Petya):
Difficult to identify: Trusted domain, digitally signed, trusted update process
Benefits: Rapid distribution within a targeted industry or region
Circumvent traditional security controls, access with elevates privileges
Potential to infect and utilize hardware supply chain in the future:
Such attack would be highly sophisticated and difficult to detect
Resistant to malware removal, reboot, reformatting, or reinstallation
23
GDPR (European General Data Protection regulation) set the Stage
Other nations are following suit (Canada, Brazil)
Distinct drivers are evolving: compliance, security, privacy, safety
U.S. has traditionally had a disparate approach (by State or by Industry):
In 2018, California passed toughest privacy law yet
Federal security and/or privacy laws may evolve over the next few years
Revision of HIPAA Privacy Rule is under discussion
FDA Guidance's on Medical Device Cybersecurity
NIST Cybersecurity Framework
NIST Privacy Framework (in progress)
HHS Cybersecurity Working Group and resulting in Task Group Workstreams
Multiple House and Senate bills in process (Med Devices, IoMT, IoT, certification)
An uptick in legislative and regulatory security and privacy action is certain
Improve consumer rights and protection
Reduce the risk of breach or harm
Harmonize requirements across regions and industries
Balanced with the need for information sharing
Regulatory and Legislative Action
24
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
25
What have we learned
1. Orchestration
Playbooks and
Automation
Response activities must
account for complex
environments.
2. Analytics
Detection and
Response
Risk Management and Root
Cause analysis provides an
important feedback loop.
3. Post Incident
Lessons
Learned
Threat models will need to
have dynamically assigned
actions with predefined
escalation.
26
What have we learned: Orchestration
Advancing Orchestration
capabilities will be key in
handling current and future
threats. People training will
be key!
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
27
What have we learned: Analytics
John Boyds OODA Loop
Event
O
b
s
e
r
v
e
Incident
Speed and quantity of attacks are
increasing. This will require data
to become a stronger factor in
reducing friction within response
processes
Improving system to system
interfaces and automation to
reduce response dwell time.
Artificial intelligence and
behavioral analytics are required
to help better inform analysts and
improve response cycle.
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
28
What have we learned: Integration
AI and analytics will need to be considered to help drive orchestration / automation and
analyst practices to help improve time to detection, time to respond performance.
Security architecture planning, reliability engineering and development of performance
measures will be critical.
Integrating analytics into a continuous controls testing model and security architecture will
be necessary to keep up with the changing business, architectures, and development
cycles.
Advanced Cyber
Operations
Orchestration
Platform and
Processes
Event -
Analytics
Systems
AI/Behavioral
Analytics
Analyst Time Consumption
Number of Event/Alerts to be acted
Opportunity for AI
and behavioral
analytics
Village elders, rule of thumb, heuristics
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
on
Low quantity,
minimal time and
high fidelity
29
What we have learned: Post Incident
Preparation Analysis/Detection Containment
Eradication
Recovery Post Incident Activity
Risk
Provides transparency for
executive leadership and defines
risk tolerance, policy and
remediation investment priorities.
Operations
Coordinates root cause analysis of
bad outcomes (incidents or control
performance issues). Operations
consumes risk decisions and
advances or corrects processes
and technologies.
Feedback
A control architecture review
helps define the requirements
and control robustness
signaling between risk and
operations.
30
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
31
Axel Wirth, CPHIMS, CISSP, HCISPP
617-999-4035
axel_wirth@symantec.com
@axel_wirth
Questions
“There's a clear pattern here which suggests an analogy to an
infectious disease process, spreading from one area to the next. …
I must confess, I find it difficult to believe in a disease of machinery."
From the Movie Westworld (1973)
Ron Mehring, CISSP
682-236-8282
ronaldmehring@texashealth.org
@mehringrc
32
Scientific American: “When and how did the metaphor of the computer 'virus' arise?”,
https://www.scientificamerican.com/article/when-and-how-did-the-meta/
Richard Clarke: “Cyber War: The Next Threat to National Security and What to Do About It”,
April 2012, https://www.amazon.com/gp/product/0061962244
Bruce Schneier: “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”
Sept. 2018, https://www.amazon.com/dp/0393608883
The Conficker Working Group, http://www.confickerworkinggroup.org/wiki/pmwiki.php
Magnolia Pictures: “Zero Days”, July 2016, https://www.imdb.com/title/tt5446858/
ISE: “Hacking Hospitals”, Feb. 2016, https://www.securityevaluators.com/hospitalhack/
UK Health and Social Care System: “Lessons learned review of the WannaCry Ransomware Cyber
Attack”, Feb. 2018, https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-
wannacry-ransomware-cyber-attack-cio-review.pdf
AAMI: “Medical Device Cybersecurity – A Guide for HTM Professionals”, June 2018,
http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=6489
Symantec: “Internet Security Threat Report”, annual, http://www.symantec.com/threatreport
HIMSS Privacy & Security Committee, https://www.himss.org/library/healthcare-privacy-security
NIST SP 800-61, “Computer Security Incident Handling Guide”,
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Ponemon Institute: The value of AI in Cybersecurity: July 2018, https://www-
01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=41017541USEN
Further Reading